Executive Viewpoint 2013 Prediction: Bromium

By Tal Klein (Profile)
Wednesday, January 16th 2013

The first of my predictions for 2013 is that this coming year will herald the end of the “Signature Era”. That is, detection as a mechanism for protection shifts from commodity to extinction. Since the inception of distributed malware, the standard mechanism for determining which company’s information security technology is better than another’s is to run a series of tests to measure how good each program is at detecting malware – a signature arms race, the police department with the biggest fingerprint database wins. This methodology must expire next year as it is plainly obvious that the new generation of malware is becoming undetectable. Advanced Persistent Threats contain multiple polymorphic payloads, targeting more than one vulnerability, and engaging whitelisted vectors that prey on organizational structures and social relationships. As detection-based tools turn up their sensitivities in vain to try and keep up with these new attacks, they also increase the rate of false positives, as we’ve seen recently when more than one vendor misidentified and quarantined essential applications (in some cases their own agents) as malware.

Just as chain mail and cavalrymen became extinct with the age of gun powder and jets, the enemy’s new weapons beget a new class of tools that do not rely on detection in order to protect. If we look to criminology for a metaphor, detectives are the people you call after the crime to determine what happened; they aren’t the people you put in place to prevent the crime as its happening (or ideally before it happened). To that end, I believe detection will continue to have utility as a mechanism for attack forensics (such as determining intent and correlation of attacks to identify common targets), but not protection.

If enterprises continue to rely on technologies that try to detect malware as the mechanism for remediation, they are dooming themselves. These types of attacks can remain dormant for months before reaching their intended targets, and removing them after they strike may be pointless: the damage has already been done.

My second prediction is that APT developers will develop antigenic shifting components and, akin to the Avian and Swine flus, jump species – we will see malware that begins life on one platform, or OS, and then hops on to another.

Syncing one device to another has already transcended the backup use case. As applications move beyond “living” on a single device, the likelihood of targeted malware that takes advantage of syncing to move from unprivileged devices onto privileged ones becomes very real. In a post-Stuxnet world where malware propagates from Windows PC laptops to Siemens S7-300 manufacturing control systems through exploits in the controller application, is it really that big of leap to imagine that malware can propagate from phone to laptop and laptop to tablet through operating system and application vulnerabilities?

In my opinion, these are the things that will keep CISO’s up at night in 2013.